MalwareTech

Infamous Skynet Botnet Author Allegedly Arrested

On the 4th of December the German Federal Criminal Police Office (BKA) issued a press release stating they had arrested two suspects for computer crimes, with the support of GSG 9 (A German special operations unit). The release detailed that the two suspect has reportedly modified, distributed and used existing malware as part of a botnet, which had been responsible for mining over 700,000 euros worth of bitcoins (which have now been confiscated). There was also evidence found of other crimes committed, such as: fraud and distribution of copyrighted pornographic material. The full press release is in German but can be read here.

Skynet is a botnet that uses a modified version of the Zeus banking trojan, communicates using the IRC protocol (through TOR), and primarily mines bitcoins as well as harvesting banking information. The botnet is thought to be one of the first to use a TOR hidden service for a command and control server in order to evade sinkholing. The author gained a large amount of media publicity in late 2012 due to his usual openness about his illegal activities, mainly on twitter and reddit (in the form of an “Ask Me Anything” thread).

Although it cannot be confirmed that the pair arrested were those behind the Skynet botnet, the author hasn’t tweeted since the alleged arrest and multiple sources who have worked closely with him have confirmed he was arrested. The story syncs up with the skynet author’s operations such as selling banking information, mining bitcoin, using modified malware, and running a porn site.

A day prior to the alleged arrest the author appeared to be working on upgrading the Skynet malware to use a modified version of the leaked carberp bootkit, allowing the malware to start before antiviruses and run with kernel mode privileges.

Update (12/5/13 2:09):
According to researchers at botconf, GData have confirmed the arrest is that of the Skynet author.

Update (12/6/13 12:39):
A single tweet was posted from @skynetbnet’s twitter account stating that the authorities had the wrong guy, no tweets have been made since. It would seem the tweet is an automated message or he requested a friend post it in the event of his arrest. Multiple people have in fact confirmed that the Skynet author has been arrested.

You have the wrong guy. Use this tweet as evidence to do the right thing and release him.
— Hacklemore (@skynetbnet) 5 декабря 2013